<!DOCTYPE html>
<html>
<head>
  <title>Setup web-component - CVE-Search</title>

  <meta charset="utf-8">

  <link href="./css/style.css" rel="stylesheet" />
</head>
<body>
  <h1>Setup the web-component for CVE-Search</h1>
  <p>
    This document will explain how to set up the web-component for CVE-Search. 
    This documentation assumes you have installed all the components of CVE-Search and ran the first initialization scripts.
  </p>

  <h2>Settings</h2>
  <p>
    Before we start the web server, we will go over the settings in the configuration.ini file, and explain what every setting means.
    The settings for the web-server can be found under the head <span class="highlight">[Webserver]</<pan>
    <table>
      <thead>
        <tr><td>Setting</td> <td>Default setting</td> <td>Explanation</td></tr>
      </thead>
      <tr><td>Host</td> <td>127.0.0.1</td> <td>The address by which the web-server is accessible. Either loop-back or one of the machine's IP addresses</td> </tr>
      <tr><td>Port</td> <td>5000</td> <td> The port on which the web-server will be running </td></tr>
      <tr><td>Debug</td> <td>True</td> <td>When the server runs in <a href="#debug">debug mode</a>, SSL will be turned off and the web-server will be in <span title="The server will process only one request at a time and block the others until the current one is ready">Blocking Mode</span></td></tr>
      <tr><td>PageLength</td> <td>50</td> <td>The amount of <abbr title="Common Vulnerability and Exposure">CVE's</abbr> that will be displayed per page</td></tr>
      <tr><td>LoginRequired</td> <td>False</td> <td>Decides whether <a href="#users">users</a> have to log in to access <a href="#admin_pages">admin pages</a>.</td></tr>
      <tr><td>SSL</td> <td>False</td> <td>Decides whether SSL is used to secure the connection. See <a href="#ssl">SSL</a> for more information on how to set this up</td></tr>
      <tr><td>Certificate</td> <td>ssl/cve-search.crt</td> <td> The certificate used for the SSL connection. More info under <a href="#ssl">SSL</a></td></tr>
      <tr><td>Key</td> <td>ssl/cve-search.key</td> <td> The key used for the SSL connection. More info under <a href="#ssl">SSL</a></td></tr>
    </table>
  </p>

  <h2 id="debug">Debug mode</h2>
  <p>
    Running the server in debug mode allows for easier development of the server. By setting this value on <span class="code">True</span>, the server will only use the Flask module.
    This means that the server will be set to <span title="The server will process only one request at a time and block the others until the current one is ready">Blocking Mode</span>, <a href="#ssl">SSL </a> will be disabled, overriding the configuration.ini settings, and the server will give more visual debug output. <br />
    Setting this value on <span class="code">False</span>, the server will take the default SSL settings from the configuration.ini file and will enable the Tornado module, putting the server in <span title="The server will process multiple requests at the same time">Non-Blocking mode</span>, and reduce the visual debug output. <br />
    It is advised not to run the server in debug mode when you run it in a production environment. However, when you are developing or testing CVE-Search alone or with a small group of people, it is advised to run it in debug mode, as it will give you a lot more information when the application crashes for some reason.
  </p>

  <h2 id="users">Users and Login</h2>
  <p>
    If you decide to make use of CVE-Search's login system, you will need to add users to the user-list. To do this, you'll be using the <span class="code">db_mgmt_admin.py</span> script. <br />
    This script takes several parameters, as mentioned below:
    <table>
      <thead>
        <tr><td>Parameter</td> <td>Arguments</td> <td>Explanation</td></tr>
      </thead>
      <tr><td>-h, --help</td> <td>None</td> <td>Displays the help page</td></tr>
      <tr><td>-a A</td> <td>name of user</td> <td>Add a user account</td></tr>
      <tr><td>-c C</td> <td>name of user</td> <td>Change the password of a user</td></tr>
      <tr><td>-r R</td> <td>name of user</td> <td>Remove a user account</td></tr>
      <tr><td>-p P</td> <td>name of user</td> <td>Promote a user account to <a href="#master">Master</a></td></tr>
      <tr><td>-d D</td> <td>name of user</td> <td>Demote a user account to a normal user </td></tr>
    </table>
  </p>
  <h3 id="master">Master accounts</h3>
  <p>
    The first account that you add will automatically be a Master account. Master accounts are accounts with the privilege to add, remove, promote and demote other user accounts.
    Every user can access the admin panel, regardless whether he has a Master account or not.
  </p>
  <h3>Creating accounts</h3>
  <p>
    You can create a user account by using the command <span class="code">Python3 db_mgmt_admin.py -a user</span>, where user is the name of your account. <br />
    If this is the first account in the database, the script will not require a <a href="#master">Master</a> password, and the account created will be a Master account.
    If this is not the first account, the script will ask you to log in using a Master account, before you can proceed.<br />
    Next, the script will ask you for a new password for the user. You will not see the characters when you type the password. This is to protect the user's password from spying eyes.
    After verifying the password, the user account will be created.
  </p>
  <h3>Changing account passwords</h3>
  <p>
    Every user can change his or her password by typing <span class="code">Python3 db_mgmt_admin.py -c user</span>, where user is the name of your account. </br />
    Running this script will ask you the current password of your user account. After entering this password, it will ask you to type your new password twice.
    After you typed your new password, the user will be updated, and the new password will be stored.
  </p>
  <h3>Removing accounts</h3>
  <p>
    Master accounts can remove users by typing <span class="code">Python3 db_mgmt_admin.py -r user</span>, where user is the name of the account. <br />
    Removing an account requires a Master account to log in. If the account you're trying to remove is not the last Master account, it will not be removed. 
  </p>
  <h3>Promoting accounts</h3>
  <p>
    Master accounts can promote other accounts by typing <span class="code">Python3 db_mgmt_admin.py -p user</span>, where user is the name of the account. <br />
    Promoting a user grants this user the privileges to add, remove, promote and demote other users.
  </p>
  <h3>Demoting accounts</h3>
  <p>
    Master accounts can demote him/herself or other accounts by typing <span class="code">Python3 db_mgmt_admin.py -d user</span>, where user is the name of the account. <br />
    If the account you're trying to demote is the last Master account, it won't work. Demoting users reduces their privileges to that of a normal user, so he/she can only change his or her own password.
  </p>

  <h2 id="ssl">SSL - Secure Socket Layer</h2>
  <p>
    The use of SSL will make sure your users traffic can not be sniffed. This will make sure people with bad intentions can't get user passwords or any other information.
  </p>
  <h3>Setting up SSL</h3>
  <p>
    To set up SSL on your server, you need a certificate and a key. On Linux, you can create these by running the following command: <br />
    <span class= "code">openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /ssl/cve-search.key -out /ssl/cve-search.crt</span> <br />
    The parameter <span class="code">-days</span> lets you choose the duration the certificate must be valid. In this example, this is 365 days. <br />
    The parameter <span class="code">-newkey</span> lets you choose the algorithm and length of the key and certificate. If you don't know what you're doing, use the default value. <br />
    The parameter <span class="code">-keyout</span> is the output of your new SSL key. Make sure this location is the same as the <span class="code">Key</span> value of your configuration.ini file. <br />
    The parameter <span class="code">-out</span> is the output for your new SSL certificate. Make sure this location is the same as the <span class="code">Certificate</span> value of your configuration.ini file. <br />
    <br />
    After hitting the Enter key, you'll be requested to fill out your organizational information. This will be visible on the certificate, and will be a way for your users to verify your certificate, as this will be <span title="Self-signed certificates are certificates that are not validated by external sources.">self-signed</span>.
    When users surf to your website, they will get a warning, and they will have to accept this certificate.
  </p>

  <h2>Starting and stopping the web-server</h2>
  <p>
    Once you set up the configurations.ini file how you want it to be, you can start the webserver by simply running <span class="code">python3 web/index.py</span>. <br />
    To stop the server, you can simply press the <abbr title="Hold down the Control key and the C key at the same time">CTRL+C</abbr> combination. <br />
    <br />
    Alternatively, on Linux, you can start the server by running <span class="code">nohup python3 web/index.py &</span>.
    This will make the server run in the background. However, this makes it so you cannot use the <abbr title="Hold down the Control key and the C key at the same time">CTRL+C</abbr> combination. 
    Instead, you will have to find the processes related to the web-server, by using <span class="code">ps aux | grep web/index.py</span>. Then kill them using the <span class="code">kill -15</span> command on all the processes related to the server.
  </p>

  <h2>Using the web-server</h2>
  <h3>Pages for normal users</h3>
  <p>
    All users will be able to view the recent CVE's, search for <abbr title="Common Vulnerability and Exposure">CVE's</abbr> related to a product and get all <abbr title="Common Vulnerability and Exposure">CVE</abbr> information. In the table below, you can find a short description of each page this user can go to.
    <table>
      <thead>
        <tr><td>Page</td> <td>Description</td></tr>
      </thead>
      <tr><td>Recent</td> <td>An overview of all the CVE's, ordered from recent to old. You can use the filter to enhance your search.</td></tr>
      <tr><td>CVE</td> <td>The overview of a CVE. You can find all the information that is in the CVE-Search database in here. </td></tr>
      <tr><td>Browse per vendor</td> <td>Lets you search <abbr title="Common Vulnerability and Exposure">CVE's</abbr> per product. The result is ordered from new to old, sorted by Last Major Update</td></tr>
    </table>
    Every <abbr title="Common Vulnerability and Exposure">CVE</abbr> has a few base fields. These fields are:<br /><br />
    <table>
      <thead>
        <tr><td>Field</td> <td>Explanation</td></tr>
      </thead>
      <tr><td>ID</td> <td>The identifier of a CVE</td></tr>
      <tr><td>Summary</td> <td>The description of a CVE, with an explanation the attack vector and the result</td></tr>
      <tr><td>References</td> <td>Links to other websites with information about the CVE. These can be vendor statements, explanations, etc</td></tr>
      <tr><td>Vulnerable Configuration</td> <td>The products that are vulnerable to the CVE. This field can be empty if the <abbr title="Common Vulnerability and Exposure">CVE</abbr> is still new, and information is not complete yet.</td></tr>
      <tr><td>CVSS</td> <td>The score given to a CVE. This score represents the risk and damage. If this field is not yet set by NIST's <abbr title="National Vulnerability Database">NVD</abbr>, the default value, specified in the configuration.ini file,will be used.</td></tr>
      <tr><td>Last Major Update</td> <td>The last major update a <abbr title="Common Vulnerability and Exposure">CVE</abbr> had. This is set to the latest update where information is added or changed</td></tr>
      <tr><td>Published</td> <td>The date the <abbr title="Common Vulnerability and Exposure">CVE</abbr> got published</td></tr>
      <tr><td>Last Modified</td> <td>The date the <abbr title="Common Vulnerability and Exposure">CVE</abbr> got last modified. Modifications can be spelling changes, changes in wording etc.</td></tr>
    </table>
  </p>
  <h3 id="admin_pages">Admin Pages</h3>
  <p>
    When login is required, admins have access to more pages then normal users. If login is not required, normal users will have access to these pages as well. <br />
    The admin page is the main control panel for the admin. From this page, he can update the database, as well as view and manage the white/and blacklist. All the admin functions are accessible by using the navigation buttons.
  </p>
  <h4>Updating the database</h4>
  <p>
    Updating the database can be done by a press of the update button, on the admin panel. Alternatively, you can use the update script <span class="code">db_updater.py</span>. The button press runs <span class="code">python3 db_updater.py -civ</span>.
    For more information on the scripts parameters, run <span class="code">Python3 db_updater -h</span>.<br />
    The sources used by CVE-Search are listed in the configuration.ini file. 
  </p>
  <h4>Managing white- and blacklists</h4>
  <p>
    The white- and blacklists can be used to manage the information your users see. Adding a <abbr title="Common Platform Enumeration">CPE</abbr> to the whitelist, any <abbr title="Common Vulnerability and Exposure">CVE</abbr> which has this <abbr title="Common Platform Enumeration">CPE</abbr> in its vulnerable configurations will be marked.
    Adding a <abbr title="Common Platform Enumeration">CPE</abbr> to the blacklist will hide all the <abbr title="Common Vulnerability and Exposure">CVE's</abbr> which are only applicable to this CPE. This way you can hide <abbr title="Common Vulnerability and Exposure">CVE's</abbr> for products you're not interested in.
    This default behavior can be overruled by the search filter on the "Recent" page, and by no means excludes these items from the database.<br />
    CPE's have a specific format, and can be used as regular expression to mark or exclude CPE's. The default format of a <abbr title="Common Platform Enumeration">CPE</abbr> is: <br />
    <span class="code">cpe:/type:vendor:product:version</span><br />
    The type can be <span class="code">a</span> for application, <span class="code">h</span> for hardware or <span class="code">o</span> for operating system. <br />
    <strong>Example:</strong><br />
    <span class="code">cpe:/h:3com:3c13612:5.26.2</span> is a piece of hardware, produced by 3com. The product name is 3c13612, and the version is 5.26.2. Adding this to the whitelist will make CVE-Search mark all the <abbr title="Common Vulnerability and Exposure">CVE's</abbr> applicable to this specific setup.
    However, if you don't want just this version number, you could add <span class="code">cpe:/h:3com:3c13612:</span>, for all the versions, or even <span class="code">cpe:/h:3com:</span> for all the hardware 3com produces.
  </p>

  <h2>Logging</h2>
  <p>
    Logging only occurs when Debug mode is set to <span class="code">False</span>. <br />
    Logging can be useful when multiple people are using your server, and you cannot monitor it the entire time. When your server does not run in debug mode, you can use logging to still get reports of crashes or malfunctions.
    The configurations.ini file contains a few options regarding logging, which are briefly explained below:
    <table>
      <thead>
        <tr><td>Setting</td> <td>Default setting</td> <td>Explanation</td></tr>
      </thead>
      <tr><td>Logging</td> <td>True</td> <td>Setting this value to <span class="code">True</span> enables logging. <span class="code">False</span> turns logging off</td></tr>
      <tr><td>Logfile</td> <td>log/cve-search.log</td> <td>The file the logs will be saved to</td></tr>
      <tr><td>MaxSize</td> <td>100MB</td> <td>Maximum size of the logfile. Can take the format of <span class="code">100</span>, <span class="code">100 b</span> or <span class="code">100b</span>. b means bytes, mb means megabytes and gb means gigabytes.</td></tr>
      <tr><td>Backlog</td> <td>5</td> <td>Amount of logfiles the server saves.</td></tr>
    </table>
    <br />
    When the size of the logfile exceeds the amount set in MaxSize, a new file will be created. If the settings are like above, this file will be called log/cve-search.1.log.
    If either MaxSize or Backlog is set to 0, this will not happen, and the logfile will have no maximum size.
  </p>
</body>

</html> 
